Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools Zack Fasel Managing Partner, Urbane Security Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for “big-data” that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home). Zack Fasel is a Founding Partner at Urbane Security, a solutions-focused vendor-agnostic information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services. Heading up Urbane’s Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane’s technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that’s right, right?). More information on him can be found at zfasel.com and on Urbane Security at UrbaneSecurity.com.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Schroeder/DEFCON-22-Will-Schroeder-Veil-Pillage-Post-Exploitation-2.0.pdf Veil-Pillage: Post-exploitation 2.0 Will Schroeder SECURITY RESEARCHER, VERIS GROUP The Veil-Framework is a project that aims to bridge the gap between pentesting and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult, and branched into powershell functionality with the release of Veil-PowerView for domain situational awareness. This talk will unveil the newest additional to the Veil-Framework, Veil-Pillage, a fully-fledged, open-source post-exploitation framework that integrates tightly with the existing framework codebase. We’ll start with a quick survey of the post-exploitation landscape, highlighting the advantages and disadvantages of existing tools. We will cover current toolset gap areas, and how the lack of a single solution with all the options and techniques desired drove the development of Veil-Pillage. Major features of the framework will be quickly detailed, and the underlying primitives that modules build on will be explained. Veil-Pillage, released immediately following this presentation, makes it easy to implement the wealth of existing post-exploitation techniques out there, public or privately developed. Currently developed modules support a breadth of post-exploitation techniques, including enumeration methods, system management, persistence tricks, and more. The integration of various powershell post-exploitation components, assorted methods of hashdumping, and various ways to grab plaintext credentials demonstrate the operational usefulness of Veil-Pillage. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities. Welcome to Veil-Pillage: Post-Exploitation 2.0. Will Schroeder (@harmj0y) is a security researcher and pentester/red-teamer for Veris Group, and is one of the co-founders and active developers of the Veil-Framework, a project aimed at bridging the gap between pentesting and red-team toolsets. Will recently presented at Shmoocon ‘14 on AV-evasion and custom payload delivery methods utilizing tools he developed, Veil-Evasion and Veil-Catapult. He has presented at various BSides events on the Cortana attack scripting language and obfuscated Pyinstaller loaders. He is also the author of Veil-PowerView, a tool for gaining situational awareness on Windows domains, and is an active powershell hacker. A former national lab security researcher, he is happy to finally be in the private sector. twitter: @harmj0y

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Ozavci/DEFCON-22-Fatih-Ozavci-VoIP-Wars-Attack-of-the-Cisco-Phones-UPDATED.pdf VoIP Wars: Attack of the Cisco Phones Fatih Ozavci SENIOR SECURITY CONSULTANT, SENSE OF SECURITY Many hosted VoIP service providers are using Cisco hosted collaboration suite and Cisco VoIP solutions. These Cisco hosted VoIP implementations are very similar; they have Cisco Unified Communication services, SIP protocol for IP Phones of tenants, common conference solutions, Skinny protocol for compliance, generic RTP implementation, VOSS Solutions product family for management services for tenants. Cisco hosted VoIP implementations are vulnerable to many attacks, including: VLAN attacks SIP trust hacking Skinny based signalling attacks Bypassing authentication and authorisation Call spoofing Eavesdropping Attacks against IP Phone management services Web based vulnerabilities of the products The presentation covers Skinny and SIP signalling attacks, 0day bypass technique for call spoofing and billing bypass, LAN attacks against supportive services for IP Phones, practical 0day attacks against IP Phone management and tenant services. Attacking Cisco VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the presenter). It has a dozen modules to test trust hacking issues, signalling attacks against SIP services and Skinny services, gaining unauthorised access, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a penetration testing environment and full integration. The presentation contains live demonstration of practical VoIP attacks and usage of new Viproy modules. Fatih Ozavci is a Security Researcher and Senior Consultant with Sense of Security. He is the author of the Viproy VoIP Penetration and Exploitation Testing Kit and MBFuzzer Mobile Application MITM Fuzzer tool, he has also published a paper about Hacking SIP Trust Relationships. Fatih has discovered many unknown security vulnerabilities and design and protocol flaws in VoIP environments for his customers, and analyses VoIP design and implementation flaws which help to improve VoIP infrastructures. Additionally, he has completed numerous mobile application penetration testing services including but not limited to reverse engineering of mobile applications, exploiting mobile services level vulnerabilities, attacking data transporting and storing features of mobile applications. His current researches are based on attacking mobile VoIP clients, VoIP service level vulnerabilities, web based VoIP and video conference systems, decrypting custom mobile application protocols and MITM attacks for mobile applications. While Fatih is passionate about VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. Fatih presented his VoIP research and tool in 2013 at DEF CON 21 (USA), Blackhat Arsenal USA 2013, Cluecon 2013 (USA), Athcon 2013 (Greece), and Ruxcon 2013. Also Fatih will present 2 training sessions at Auscert 2014 as well, "Next Generation Attacks and Countermeasures for VoIP" and "Penetration Testing of Mobile Applications and Services". http://viproy.com/fozavci/ http://fozavci.blogspot.com/ http://tr.linkedin.com/pub/fatih-ozavci/54/a71/a94 https://twitter.com/fozavci http://packetstormsecurity.com/files/author/5820 http://www.exploit-db.com/author/?a=5425 http://www.github.com/fozavci

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/White-deVilliers/DEFCON-22-Dominic-White-Ian-de-Villiers-Manna-from-Heaven-Detailed-UPDATED.pdf Manna from Heaven: Improving the state of wireless rogue AP attacks Dominic White CTO, SENSEPOST Ian de Villiers SENIOR ANALYST, SENSEPOST The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and our ability to capture credentials at a network level has long been established. Often, the most significant protection users have are hitting the right button on an error message they rarely understand. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link. This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this; karma attacks work poorly against modern devices, network authentication of the weakest sort defeats rogue APs and interception tools struggle to find useful details. This talk is the result of our efforts to bring rogue AP attacks into the modern age. The talk will provides details of our research into increasing the effectiveness of spoofing wireless networks, and the benefits of doing so (i.e. gaining access). It includes the release of a new rogue access point toolkit implementing this research. Dominic is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 10 years. He is responsible for SensePost's wireless hacking course, Unplugged. He tweets as @singe. Ian de Villiers is a security analyst at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided security training and spoken at security conferences internationally. Ian previously published numerous tools, such as reDuh http://research.sensepost.com/tools/web/reduh, but more recently, SapProxy http://research.sensepost.com/cms/resources/tools/servers/sapprox/44con_2011_release.pdf

Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/Self/DEFCON-22-Blake-Self-cisc0ninja-Dont-DDOS-me-bro-UPDATED.pdf Don't DDoS Me Bro: Practical DDoS Defense Blake Self SENIOR SECURITY ARCHITECT Shawn "cisc0ninja" Burrell SOLDIERX CREW Layer 7 DDoS attacks have been on the rise since at least 2010, especially attacks that take down websites via resource exhaustion. Using various tools and techniques - it is possible to defend against these attacks on even a shoestring budget. This talk will analyze and discuss the tools, techniques, and technology behind protecting your website from these types of attacks. We will be covering attacks used against soldierx.com as well as attacks seen in Operation Ababil. Source code will be released for SOLDIERX's own DDoS monitoring system, RoboAmp. Blake Self is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations. He has been attending Defcon since high school and has given several talks. He currently works in the financial sector and was directly involved in defending against the DDoS attacks of Operation Ababil. Blake holds a M.S. in Computer Science from Purdue University. Shawn "cisc0ninja" Burrell is a long time crew member of SOLDIERX. He was a critical component of projects such as the "Hacker Database" - the largest open source database of individuals involved in the security/hacking scene. He has also worked as a SIPRNET Administrator for the Department of Defense. He currently works in threat intelligence, where he discovers current campaigns and how to defend against them. He once claimed he was the only person at Defcon who could actually dance, although that was before the conference was at its current popularity. Web: https://www.soldierx.com Facebook: https://www.facebook.com/soldierxDOTcom

Michele Fincher - How to you Feel about your Mother.. Psych and The SE

Blinding The Surveillance State Christopher Soghoian Principal Technologist, American Civil Liberties Union We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them. Christopher Soghoian is a privacy researcher and activist, working at the intersection of technology, law and policy. He is the Principal Technologist with the Speech, Privacy and Technology Project at the American Civil Liberties Union. Soghoian completed his Ph.D. in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers.

Chris Hadnagy - What Your Body Tells Me - Body Language for the SE

A Survey of Remote Automotive Attack Surfaces Charlie Miller Security Engineer, Twitter Chris Valasek Director of Threat Intelligence, IOActive Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes. Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward? Charlie Miller is a security engineer at Twitter. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated". Twitter: @0xcharlie Christopher Valasek is the Director of Security Intelligence at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference. Twitter: @nudehaberdasher

Brent White - Corporate Espionage - Gathering Actionable Intelligence Via Covert Operations

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Zoz/DEFCON-22-Zoz-Dont-Fuck-It-Up-UPDATED.pdf Don't Fuck It Up! Zoz ROBOTICS ENGINEER Online antics used to be all about the lulz; now they're all about the pervasive surveillance. Whether you're the director of a TLA just trying to make a booty call or an internet entrepreneur struggling to make your marketplace transactions as smooth as silk, getting up to any kind of mischief involving electronic communications now increasingly means going up against a nation-state adversary. And if even the people who most should know better keep fucking it up, what does that mean for the rest of us? What do the revelations about massive government eavesdropping and data ingestion mean for people who feel they have a right if not a duty to occasionally be disobedient? It's time for a rant. Analyzing what is currently known or speculated about the state of online spying through the prism of some spectacular fuckups, this talk offers an amusing introduction to how you can maximize your chances of enduring your freedom while not fucking it up. Learn how not to fuck up covering your tracks on the internet, using burner phones, collaborating with other dissidents and more. If you have anything to hide, and all of us do, pay attention and Don't. Fuck. It. Up! Zoz is a robotics engineer, prankster and general sneaky bastard. He has been pretty successful at pulling some cool subversive shit and not fucking it up and getting caught. He once faked a crop circle for the Discovery Channel and it was all uphill from there.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Balazs/DEFCON-22-Zoltan-Balazs-Bypass-firewalls-application-whitelists-in-20-seconds-UPDATED.pdf Bypass firewalls, application white lists, secure remote desktops under 20 seconds Zoltán Balázs CHIEF TECHNOLOGY OFFICER AT MRG EFFITAS In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation. I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included! Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. Before MRG Effitas, he worked for 5 years in the financial industry as an IT Security expert, and for 2 years as a senior IT security consultant at one of the Big Four companies. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide including Hacker Halted USA, OHM, Hacktivity, Ethical Hacking, Defcamp. He is a proud member of the gula.sh team, 2nd runner up at global Cyberlympics 2012 hacking competition.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Hecker/DEFCON-22-Weston-Hecker-Burner-Phone-DDOS-UPDATED.pdf Burner Phone DDOS 2 dollars a day : 70 Calls a Minute Weston Hecker SR SYSTEMS SECURITY ANALYST/ NETWORK SECURITY Phone DDOS research. Current proof of concept is dealing with Samsung SCH-U365 QUALCOMM prepaid Verizon phone custom firmware was written that makes it into an anonymous DOS systems It Does PRL list hopping and several other interesting evasion methods. The new firmware allows two features one, you text it a number and it will spam call that number 70 times a min. till battery dies. All for 2 dollars a day. And second feature is that if a number that is in address book calls it, automatically picks up on speaker phone. Also ways to mitigate this attack with load balancing Call manager and Captcha based systems. Weston is a Systems Network Analyst/Penetrations Tester/President of Computer Security Association of North Dakota, Tons of computer security certs, Studied Computer Science/Geophysics, 9 years Computer security experience, Disaster recovery, attended DEF CON since DEF CON 9 Tools. Weston has developed Custom plug ins for Scanning tools that are specific to ISP Gear ex. Calex, brocade more obscure ISP gear. Made custom “iPhone” enclosures for teensy 3.0 that I use on pen tests. Custom Arduino board RFID scanner attachment that mounts under workers chair and scans wallet. twitter: @westonhecker

Slides Here:https://www.defcon.org/images/defcon-22/dc-22-presentations/McGrew/DEFCON-22-Wesley-McGrew-Instrumenting-Point-of-Sale-Malware.pdf Additional Materials available: https://www.defcon.org/images/defcon-22/dc-22-presentations/McGrew/DEFCON-22-Wesley-McGrew-Instrumenting-Point-of-Sale-Malware-WP.pdf Instrumenting Point-of-Sale Malware: A Case Study in Communicating Malware Analysis More Effectively Wesley McGrew ASSISTANT RESEARCH PROFESSOR, MISSISSIPPI STATE UNIVERSITY The purpose of this talk is to promote the adoption of better practices in the publication and demonstration of malware analyses. For various reasons, many popular analyses of malware do not contain information required for a peer analyst to replicate the research and verify results. This hurts analysts that wish to continue to work more in-depth on a sample, and reduces the value of such analyses to those who would otherwise be able to use them to learn reverse engineering and improve themselves personally. This paper and talk proposes that we borrow the concept of “executable research” by supplementing our written analysis with material designed to illustrate our analysis using the malware itself. Taking a step beyond traditional sandboxes to implement bespoke virtual environments and scripted instrumentation with commentary can supplement written reports in a way that makes the analysis of malware more sound and useful to others. As a case-study of this concept, an analysis of the recent high-profile point-of-sale malware, JackPOS is presented with enough information to replicate the analysis on the provided sample. A captured command-and-control server is included and Python-based harnesses are developed and presented that illustrate points of interest from the analysis by instrumenting the execution of the malware itself. Wesley McGrew (@McGrewSecurity) is an assistant research professor at Mississippi State University’s Department of Computer Science and Engineering, where he works with the newly formed Distributed Analytics and Security Institute. He recently earned a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems. He also lectures for the MSU National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. In the spring 2013 semester, he began teaching a self-designed course on reverse engineering to students at MSU, using real-world, high-profile malware samples, as part of gaining NSA CAE Cyber Ops certification for MSU. Wesley has presented at Black Hat USA and DEF CON, and is the author of penetration testing and forensics tools that he publishes through his personal/consultancy website, McGrewSecurity.com. Twitter: @McGrewSecurity Web: http://mcgrewsecurity.com

Slides Here:https://www.defcon.org/images/defcon-22/dc-22-presentations/Strazzere-Sawyer/DEFCON-22-Strazzere-and-Sawyer-Android-Hacker-Protection-Level-UPDATED.pdf Android Hacker Protection Level 0 Tim Strazzere LEAD RESEARCH & RESPONSE ENGINEER Jon Sawyer CTO OF APPLIED CYBERSECURITY LLC Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire. Tim "diff" Strazzere is a Lead Research and Response Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices. Past speaking engagements have included DEFCON, BlackHat, SyScan, HiTCON and EICAR. Jon "Justin Case" Sawyer - 31 yr old father of four, and CTO of Applied Cybersecurity LLC. Jon likes to spend his nights with a fine (cheap) glass of wine, writing exploits for the latest Android devices. When not researching vulnerabilities or writing exploits, he dabbles in dalvik obfuscation.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Schrodinger/DEFCON-22-Tess-Schrodinger-Raxacoricofallapatorius-With-Love-Case-Studies.pdf From Raxacoricofallapatorius With Love: Case Studies In Insider Threat Tess Schrodinger Espionage, honey pots, encryption, and lies. Clandestine meetings in hotels. The naïve girl seduced by a suave businessman. The quiet engineer who was busted by the shredded to do list found in his trash. Encryption the NSA couldn’t crack. What motivates insiders to become threats? How were they caught? What are potential red flags to be aware of? Acquire a new awareness around what makes these people tick. Tess has over twenty years in law enforcement, investigation, forensics (bullets & blood, not 1s & 0s), and industrial security. She holds a Bachelor of Sociology, a Master of Security Management, and a graduate certificate in cybersecurity technology. One of her many current objectives is to bridge the gap between traditional security and cyber security by promoting awareness and education to the technologically ignorant who are often overwhelmed by the potential threats and how they can be targeted and to the technically gifted who are often unfamiliar with the threats, vulnerabilities, and mitigation techniques that lie outside their world of technology.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Petrov-Gaivoronski/DEFCON-22-Ivan-Petrov-Svetlana-Gaivoronski-ShellCodes-for-ARM-Updated.pdf Extra Materials are available here: https://defcon.org/images/defcon-22/dc-22-presentations/Petrov-Gaivoronski/DEFCON-22-Ivan-Petrov-Svetlana-Gaivoronski-ShellCodes-for-ARM.avi Shellcodes for ARM: Your Pills Don't Work on Me, x86 Svetlana Gaivoronski PHD STUDENT, MOSCOW STATE UNIVERSITY, RUSSIA Ivan Petrov MASTERS STUDENT, MOSCOW STATE UNIVERSITY, RUSSIA Despite that it is almost 2014, the problem of shellcode detection, discovered in 1999, is still a challenge for researchers in industry and academia. The significance of remotely exploitable vulnerabilities does not seem to fade away. The number of remotely exploitable vulnerabilities continues to grow despite the significant efforts in improving code quality via code analysis tools, code review, and plethora of testing methods. The other trend of recent years is the rise of variety of ARM-based devices such as mobile phones, tablets, etc. As of now the total number of ARM-based devices exceeds the number of PCs in times. This trend sometimes is terrifying as people trust almost all aspects of their lives to such digital devices. People care much more about convenience than security of the data. For example, mobile phones now knows our financial information, health records, keeps a lot of other private data. That's why ARM-based systems became a cherry pie for attackers. There is a variety of shellcode detection methods that work more or less acceptable with x86-based shellcodes. There are even hybrid solutions that combine capabilities of existing approaches. Unfortunately, almost all of them focus on a fixed set of shellcode features, specific for x86 architecture. This work aims to cover this gap. This work makes the following contributions: • We provide an analysis of existing shellcode detection methods with regards to their applicability to shellcodes developed for ARM architecture. As a result, we show that most of existing algorithms are not applicable for shellcodes written for ARM. Moreover, the methods that work for ARM shellcodes produce too many false positives to be applicable for real-life network channels and 0-day detection. • We analyzed available ARM-based shellcodes from public exploit databases, and identified a set of ARM shellcode features that distinguishes them from x86 shellcodes and benign binaries. • We implemented our detectors of ARM shellcode features as an extension for Demorpheus[1] shellcode detection open-source library. The algorithm used for generation of detectors’ topology guarantees the solution to be optimal in terms of computational complexity and false positive rate. Svetlana Gaivoronski is a PhD student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Svetlana was a member of the Bushwhackers CTF team. Svetlana worked at Redsecure project (experimental IDS/IPS) at Moscow State University. At summer 2013 Svetlana worked in Microsoft Research on a botnets detection in clouds project. Now Svetlana works on shellcode-detection and DDoS-mitigation projects. Her primary interests are network worm propagation detection and filtering, shellcode detection, static and runtime analysis of malware, DDoS detection and filtering. Twitter: @SadieSv Ivan Petrov is a master student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Ivan is an active member of Bushwhackers CTF team, which is the winner of iCTF competitions this year. Ivan works on shellcode-detection projects. His primary interests are mobile security and network security, including analysis of ARM-based malware. Twitter: _IvanPetrov_

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System Shane Macaulay DIRECTOR OF CLOUD SECURITY, IOACTIVE Windows7 & Server 2008R2 and earlier kernels contain significant executable regions available for abuse. These regions are great hiding places and more; e.g. Using PTE shellcode from ring3 to induce code into ring0. Hiding rootkits with encoded and decoded page table entries. Additional ranges/vectors, Kernel Shim Engine, ACPI/AML, boot-up resources & artifacts will also be shown to be useful for code gadgets. Understanding the state of affairs with the changes between Win7/8 and what exposures were closed and which may remain. APT threats abuse many of these areas to avoid inspection. By the end of this session will also show you how to walk a page table, why Windows8 makes life easier, what to look for and how to obtain a comprehensive understanding of what possible code is hiding/running on your computer. Final thoughts on using a VM memory snapshot to fully describe/understand any possible code running on a Windows system. Shane “K2” Macaulay last DEF CON presentation was an offensive tool ADMmutate during DEF CON 9 but has more recently been focused on defensive techniques and helped develop an APT detection service (http://blockwatch.ioactive.com) used to protect Microsoft OS platforms. Shane has spent time finding ways to fully understand the state of system code to understand “What is actually running on your computer?” to aid in forensic analysis, incident response and enterprise protection capacities. Shane is currently employed by IOActive as Directory of Cloud Security and has presented at many previous security conferences/venues.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Tal/DEFCON-22-Shahar-TaI-I-hunt-TR-069-admins-UPDATED.pdf I Hunt TR-069 Admins: Pwning ISPs Like a Boss Shahar Tal SECURITY & VULNERABILITY RESEARCH TEAM LEADER, CHECK POINT SOFTWARE TECHNOLOGIES Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. During the talk (pending patch availability), we will release exploits to vulnerabilities we discovered in ACS software, including RCE on a popular package, leading to ACS (and managed fleet) takeover. Shahar Tal leads a team of Security & Vulnerability Researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that's Major Tal, for you) brings over ten years of experience in his game, eager to speak and share in public domain. Shahar is a proud father, husband and a security geek who still can't believe he's getting paid to travel to awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Erven-Merdinger/DEFCON-22-Scott-Erven-and-Shawn-Merdinger-Just-What-The-DR-Ordered-UPDATED.pdf Just What The Doctor Ordered? Scott Erven FOUNDER & PRESIDENT SECMEDIC, INC Shawn Merdinger HEALTHCARE SECURITY RESEARCHER You have already heard the stories of security researchers delivering lethal doses of insulin to a pump, or delivering a lethal shock to a vulnerable defibrillator. But what is the reality of medical device security across the enterprise? Join us for an in-depth presentation about a three-year independent research project, encompassing medical devices across all modalities inside today’s healthcare landscape. Think they are firewalled off? Well think again. Scarier yet, many remain Internet facing and are vulnerable to strategic attack with the potential loss for human life. And yes you will be amazed at what we found in just 1 hour! We will prove that an attacker can access medical devices at thousands of healthcare facilities from anywhere in the world with the potential loss of human life. This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety. Scott Erven is a healthcare security visionary and thought leader; with over 15 years’ experience in Information Technology & Security. He is also the Founder and President of SecMedic, Inc. His research on medical device security has been featured in Wired and numerous media outlets worldwide. Mr. Erven has presented his research and expertise in the field internationally. He has been involved in numerous IT certification development efforts as a subject matter expert in Information Security. His current focus is research affecting human life and public safety issues inside today’s healthcare landscape. Shawn Merdinger is a security researcher with 15 years' information security and IT experience. He is founder of MedSec, a LinkedIn group focused on medical device security risks with over 500 members and has worked with Cisco Systems, TippingPoint, an academic medical center, and as a independent security researcher and consultant. He's served as technical editor for 12 security books from Cisco Press, Pearson, Syngress and Wiley. Shawn has presented original security research at DEFCON, DerbyCon, Educause, ShmooCon, CONfidence, NoConName, O’Reilly, IT Underground, InfraGard, ISSA, CarolinaCon and SecurityOpus. He holds a master's from the University of Texas at Austin and two bachelor's from the University of Connecticut.